What's New

Version 1.2 updates are aimed at improving user interaction with the TRON.ASOC product, as well as implementing new tools and scan sources.

New Integrations

The following integrations have been implemented:

• New tool integrations:
  • Integration with Semgrep (SAST). This static application security scanner is used to protect software by checking source code to identify vulnerability sources.
  • Refactored integration with Codescoring. Added capability to work with full functionality (security policies, secret detection, reachability, dependency tree, ssc-plugin, etc.).
  • Integration with Aqua Security. This solution provides comprehensive native container protection.
• New source integrations:
  • Integration with JFrog Artifactory as a scan source. The JFrog platform is designed for managing and deploying software packages.
  • Integration with Harbor as an image delivery source.
• Infrastructure integrations:
  • Integration with Jira ticketing system. For flexible work and prompt response to security issues, mapping configuration with Jira is provided, as well as ticket (Item) creation and status tracking. Capability to create Items in Jira manually and automatically using response policies, and receive ticket closure results in the ASOC system, eliminating the need for manual tracking of status in Jira and updating data in ASOC.
  • Integration with SMTP server for email notifications.
  • Integration with LDAP/AD. Added the following capabilities:
    • Corporate account management based on:
      • Local account storage (LDAP)
      • Active Directory domain accounts (AD)
      • Automatic user import from AD.
      • Mapping user groups from AD to internal user groups in the ASOC system.

New Product Features/Sections

• Response Policy. Added configuration for notifications on any system events.
• Detailed PDF report for connected projects.
• Advanced Role Model. Introduced granular role model allowing fine-tuning of user and user group access to solution functionality. Key capabilities:
  • Extended access matrix for roles
  • Configuring user access for reading/modifying/deleting objects using checkboxes
  • Specific access for Scan Execution/Report Creation sections
  • Assigning rights separately for each role, globally or for specific project/tag, including adding/using tools
• SBOM Library. Functionality for manual SBOM upload and viewing all dependencies used in a project, at both code level and container image level, with filtering by code dependencies and container image dependencies.

Interface and Capability Improvements

1. SSDL Practice Tracking. Added display of applied tools in the Projects section with filtering capability, and added tool usage chart to each project's dashboard.
2. Extended List of Secure Development Metrics in ASOC. Capability to collect and consolidate data on key performance indicators and secure code development process metrics, including:
   • General indicators by specific systems/services/applications, software development departments, and the organization as a whole
   • % coverage of existing information systems/applications with secure development practices
   • Average security defect lifespan (Lead Time)
   • Average security defect identification time (Mean-Time-To-Detect)
   • Average security defect resolution time (Mean-Time-To-Resolve)
   • Average time in specific status
   • Number of vulnerabilities in projects
   • Number of open vulnerabilities in projects
   • Number of most critical vulnerabilities and security defects
   • Percentage of resolved vulnerabilities and security defects
   • Integral risk index by systems/services/applications
   • Integral risk index dynamics across the entire portfolio of systems/services/applications
   • Risk density
   • Number of duplicate vulnerabilities
   • Scan frequency
   • Scan frequency coefficient
   • Average scan time
   • Number of security rules and issues that matched security rules
   • Number of vulnerabilities by security tool types in project
   • Number of vulnerabilities by scan sources in project
3. Updated Dashboard. Added Dashboard Customization:
   • Capability to create UI dashboards with custom user filters
   • Capability to choose various visualization options for dashboards: line charts, bar and pie charts, cards
   • Capability to overlay multiple metrics on charts as selected by users
   • Capability to configure location, chart size, add/remove charts within offered options
4. Expanded Filter Settings. Added capability to filter by additional fields and filter objects by individual CWE values.
5. Added capability to reuse Security Pipeline Templates in other projects/pipelines. Allows complete or partial saving and creation of Security Check, Security Gate, and Source parameters from templates in other pipelines.
6. Added Custom Severity Level within ASOC. Allows manual changing of severity level for security issues.
7. Manual Security Issue Creation - Capability to manually create Issues, describe necessary parameters, and upload scan results from any tools in JSON format.
8. Capability to manually set Integration Names for the same tool type.
9. Expanded Project Information. Implemented capability for field customization (owner, business unit, project number, compliance status with security requirements, network policies, etc.) and capability to view/edit/add/delete project characteristics.

Fixed Issues

Enhancements mainly related to adding new functionality, integrations, and improving user interface.

Compatibility and Requirements

No changes

Installation Guide

Administrator Guide

Feedback and Support

User Guide

Conclusion

Future product enhancements will primarily focus on implementing an AI Assistant that will offer comprehensive solutions for development security issues based on scan results, as well as expanding integration capabilities with various systems.